North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: large organization nameservers sending icmp packets to dns servers.
On 7-Aug-2007, at 14:38, Patrick W. Gilmore wrote: On Aug 7, 2007, at 2:14 PM, Donald Stahl wrote: But they are hard to argue with. In addition, any UDP truncated response needs to be retried via TCP- blocking it would cause a variety of problems. "Never reply with anything big and hence never set TC" seems like a reasonable, expedient way to circumvent the problem of wholesale 53/ tcp-blocking stupidity. It doesn't make the behaviour any less stupid, though. The "security" argument looks even more bizarre when you consider what the DO bit in a request will do in general to the size of a response, in the case of an authority server which has signed zone data. Joe
|